NtQueryInformationProcess (ProcessImageInformation, 0x25)

1. //http://waleedassar.blogspot.com/   (@waleedassar)
2. //The undocumented ProcessImageInformation 0x25 of the "ZwQueryInformationProcess" function.
3. //This can be used to retrieve various useful info. about a running process. e.g. its entrypoint, whether it has been relocated, file size, etc...
4.  
5. #pragma comment(linker,"/FIXED:NO")
6. #pragma comment(lib,"ntdll.lib")
7.  
8. struct PROCESS_IMAGE_INFORMATION
9. {
10.    unsigned long EntryPoint; //after relocation
11.    unsigned long unk1;
12.    unsigned long SizeOfStackReserve;
13.    unsigned long SizeOfStackCommit;
14.  
15.    unsigned short subsystem;
16.    unsigned short unk2;
17.    unsigned short MinorSubSystemVersion;
18.    unsigned short MajorSubsystemVersion;
19.    unsigned long unk3;
20.    unsigned short characteristics;
21.    unsigned short dll_characteristics;
22.  
23.    unsigned short machine;
24.    unsigned short flags;  //0x0400--->FLAG_IMAGE_RELOCATED 0x1---->???
25.    unsigned long LoaderFlags;
26.    unsigned long FileSize;  //on disk
27.    unsigned long Checksum;
28. };
29.  
30. extern "C"
31. {
32.         int __stdcall ZwQueryInformationProcess(HANDLE,int,PROCESS_IMAGE_INFORMATION*,unsigned long,int*);
33. }
34.  
35. int main(void)
36. {
37.         PROCESS_IMAGE_INFORMATION Q={0};
38.         ZwQueryInformationProcess(GetCurrentProcess(),0x25,&Q,sizeof(Q),0);
39.         printf("My Entrypoint is %X\r\n",Q.EntryPoint);
40.         return 0;